Accessing Amazon Web Services services with temporary credentials - Amazon Cognito
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Accessing Amazon Web Services services with temporary credentials

The result of a successful authentication with an identity pool is a set of Amazon credentials. With these credentials, your application can make requests to Amazon resources that are protected with IAM authentication. With the various Amazon SDKs that you can add to your applications to access identity pools API operations, you can make unauthenticated API requests that produce temporary credentials. Then you can add SDKs for other Amazon Web Services services to your client and sign requests with those temporary credentials. The IAM permissions granted to your temporary-credentials role must permit the operations that you request from other services.

After you configure your Amazon Cognito credentials provider and retrieve Amazon credentials, create an Amazon Web Services service client. The following are some examples from Amazon SDK documentation.

Amazon SDK resources for creating a client

The following snippet initializes an Amazon DynamoDB client:

To use a Amazon Cognito identity pool in an Android app, set up Amazon Amplify. For more information, see Authentication in the Amplify Dev Center.

// Create a service client with the provider
AmazonDynamoDB client = new AmazonDynamoDBClient(credentialsProvider);

The credentials provider communicates with Amazon Cognito, retrieving both the unique identifier for authenticated and unauthenticated users as well as temporary, limited privilege Amazon credentials for the Amazon Mobile SDK. The retrieved credentials are valid for one hour, and the provider refreshes them when they expire.

To use a Amazon Cognito identity pool in an iOS app, set up Amazon Amplify. For more information, see Swift Authentication and Flutter Authentication in the Amplify Dev Center.

// create a configuration that uses the provider
AWSServiceConfiguration *configuration = [AWSServiceConfiguration configurationWithRegion:AWSRegionUSEast1 provider:credentialsProvider];
// get a client with the default service configuration
AWSDynamoDB *dynamoDB = [AWSDynamoDB defaultDynamoDB];

The credentials provider communicates with Amazon Cognito, retrieving both the unique identifier for authenticated and unauthenticated users as well as temporary, limited privilege Amazon credentials for the Amazon Mobile SDK. The retrieved credentials are valid for one hour, and the provider refreshes them when they expire.

To use a Amazon Cognito identity pool in an iOS app, set up Amazon Amplify. For more information, see Swift Authentication in the Amplify Dev Center.

// get a client with the default service configuration
let dynamoDB = AWSDynamoDB.default()

// get a client with a custom configuration
AWSDynamoDB.register(with: configuration!, forKey: "USWest2DynamoDB");
let dynamoDBCustom = AWSDynamoDB(forKey: "USWest2DynamoDB")

The credentials provider communicates with Amazon Cognito, retrieving both the unique identifier for authenticated and unauthenticated users as well as temporary, limited privilege Amazon credentials for the Amazon Mobile SDK. The retrieved credentials are valid for one hour, and the provider refreshes them when they expire. 

// Create a service client with the provider
var dynamodb = new AWS.DynamoDB({region: 'us-west-2'});

The credentials provider communicates with Amazon Cognito, retrieving both the unique identifier for authenticated and unauthenticated users as well as temporary, limited-privilege Amazon credentials for the Amazon Mobile SDK. The retrieved credentials are valid for one hour, and the provider refreshes them when they expire.

The Amazon SDK for Unity is now part of the Amazon SDK for .NET. To get started with Amazon Cognito in the Amazon SDK for .NET, see Amazon Cognito credentials provider in the Amazon SDK for .NET Developer Guide. Or see Amplify Dev Center for options for building an app with Amazon Amplify.

// create a service client that uses credentials provided by Cognito
AmazonDynamoDBClient client = new AmazonDynamoDBClient(credentials, REGION);

The credentials provider communicates with Amazon Cognito, retrieving both the unique identifier for authenticated and unauthenticated users as well as temporary, limited-privilege Amazon credentials for the Amazon Mobile SDK. The retrieved credentials are valid for one hour, and the provider refreshes them when they expire.

The Amazon SDK for Xamarin is now part of the Amazon SDK for .NET. To get started with Amazon Cognito in the Amazon SDK for .NET, see Amazon Cognito credentials provider in the Amazon SDK for .NET Developer Guide. Or see Amplify Dev Center for options for building an app with Amazon Amplify.

// create a service client that uses credentials provided by Cognito
var client = new AmazonDynamoDBClient(credentials, REGION)

The credentials provider communicates with Amazon Cognito, retrieving both the unique identifier for authenticated and unauthenticated users as well as temporary, limited-privilege Amazon credentials for the Amazon Mobile SDK. The retrieved credentials are valid for one hour, and the provider refreshes them when they expire.